OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] the value of AuthnInstant

As I said before, I think this is the correct reading of the current
core spec (as in other interpretations are wrong).  From the preamble 
in section 2.7.2:

	The <AuthnStatement> element describes a statement by the SAML
	asserting that the assertion subject was authenticated by a
	means at a particular time.

and the description of AuthnInstant (an attribute of the

	Specifies the time at which the authentication took place....

I don't think this leaves much to deployment/implementation


> -----Original Message-----
> From: Tom Scavo [mailto:trscavo@gmail.com]
> Sent: Monday, February 11, 2008 4:57 PM
> To: Cahill, Conor P
> Cc: Scott Cantor; SAML Developers
> Subject: Re: [saml-dev] the value of AuthnInstant
> That makes total sense, Conor.  Your words could be considered errata,
> think.
> Tom
> On Feb 11, 2008 4:20 PM, Cahill, Conor P <conor.p.cahill@intel.com>
> > Yes, a cookie could be considered
> > some form of authentication.  However, if the IdP says in the AC
> > the
> > user presented username/password, then the AuthnInstant has to be
> > that
> > took place, not when some session cookie was presented to the IdP.
> >
> > So, yes, if I have an AuthnContext that says "Got a cookie", then
> > AuthnInstant can match the IssueInstant.
> >
> > Conor

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]